Date: Fri, 02 Sep 2011 11:44:20 +0200 From: Florian Smeets <flo@freebsd.org> To: Jeremy Chadwick <freebsd@jdc.parodius.com> Cc: Pavel Timofeev <timp87@gmail.com>, apache@freebsd.org, ade@freebsd.org Subject: Re: Install apache-2.2.20 Message-ID: <4E60A574.5040705@freebsd.org> In-Reply-To: <20110902090342.GA48221@icarus.home.lan> References: <CAAoTqfuCAQ2-bUYJD35Xj_kZ_Mc7H-Y3fgPuD-13L8rLm8%2BbUw@mail.gmail.com> <20110902084108.GA46572@icarus.home.lan> <4E609855.9070507@freebsd.org> <20110902090342.GA48221@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02.09.2011 11:03, Jeremy Chadwick wrote: > On Fri, Sep 02, 2011 at 10:48:21AM +0200, Florian Smeets wrote: >> On 02.09.2011 10:41, Jeremy Chadwick wrote: >>> On Fri, Sep 02, 2011 at 12:06:26PM +0400, Pavel Timofeev wrote: >>>> Hi, there's a problem >>>> [root@timbsd /usr/ports/www/apache22]# make >>>> >>>> ===> apache-2.2.20 has known vulnerabilities: >>>> => apache -- Range header DoS vulnerability. >>>> Reference: >>>> http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html >>>> => Please update your ports tree and try again. >>>> *** Error code 1 >>>> >>>> Stop in /usr/ports/www/apache22. >>>> *** Error code 1 >>>> >>>> Stop in /usr/ports/www/apache22. >>> >>> Looks like someone may have screwed up the portaudit (security/vuxml) >>> update. >>> >> >> You just need to download the current database. >> >> # portaudit -F >> >> That worked for me. > > Look at the message he's receiving. "apache-2.2.20 has known > vulnerabilities". This is wrong. Versions *PRIOR* to 2.2.20 have known > vulnerabilities. The first vuxml entry that was added for this vulnerability had | + <range><gt>2.*</gt></range> It was fixed yesterday to match only versions lower than 2.2.20 | - <range><gt>2.*</gt></range> | + <range><gt>2.*</gt><lt>2.2.20</lt></range> That's why i suggested to download the new database. > > So again: someone messed up the portaudit (security/vuxml) database. If > it got fixed, I'm not seeing any evidence of that yet either: > If you download the newest db Pavels problem should be fixed. > Let's recap: > > 1) The message the OP is receiving is that Apache 2.2.20 is insecure, > which is wrong. see above. > > 2) I'm using apache22 with the ITK MPM and I receive no such security > concern message. > > 3) portaudit -Fda doesn't indicate anything is insecure besides PHP on > my system, even though it obviously is (using Apache 2.2.19). > Ok, that's a different problem. 2 and 3 are basically the same problem, no? I think the slave ports need to added to the entry, too. > 4) Here's the relevant contents of the portaudit db: > > icarus# bzcat /var/db/portaudit/auditfile.tbz | strings -a | egrep ^apache | grep Range > apache>2.*<2.2.20|http://portaudit.FreeBSD.org/7f6108d2-cea8-11e0-9d58-0800279895ea.html|apache -- Range header DoS vulnerability > You have the current database :) > In my case (re: not receiving the security warning), it may be that > someone did not add the apache-itk-XXX shims to the portaudit db, which > are the direct result of the "stub" ports for Apache. I don't know who > maintains this, but it's obviously incomplete. > Yes, the should be added. Cheers, Florian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E60A574.5040705>